Access reviews fail because reviewers can only certify what they can identify. If accounts are unresolved, the review becomes partial, stale, or rubber-stamped, and the control no longer reflects actual privilege. That weakens certification, obscures SoD conflicts, and leaves offboarding dependent on manual memory instead of verified ownership.
Why This Matters for Security Teams
Access reviews only work when reviewers can tie an account to a accountable owner and a legitimate business purpose. When that mapping is missing, certifications become guesswork instead of evidence, and unresolved accounts quietly accumulate risk across shared service logins, orphaned API keys, and inherited admin access. That is especially dangerous for NHI governance, where the issue is often not whether an identity exists, but whether it can be traced back to a verified workload, process, or owner.
The problem shows up repeatedly in breach analysis. NHIMG’s 52 NHI Breaches Analysis highlights how weak identity attribution and poor lifecycle control turn ordinary accounts into long-lived attack paths. OWASP also treats unresolved non-human identities as a core risk area in the OWASP Non-Human Identity Top 10, because access reviews cannot validate what they cannot identify. In practice, many security teams discover this only after a stale account is abused or an offboarding event has already been missed, rather than through intentional review discipline.
How It Works in Practice
A reliable review process starts with identity resolution. For human users, that usually means linking the account to a named employee, manager, and system owner. For NHIs, the equivalent is mapping the account to a workload, application, pipeline, or service function, along with the business or technical owner responsible for its use. Without that context, a reviewer can only guess whether an account is expected, whether it is still active, and whether its permissions are justified.
Current guidance suggests treating identity mapping as a prerequisite control, not a nice-to-have reporting field. The NHI Lifecycle Management Guide frames this as a lifecycle problem: discovery, ownership, entitlement, rotation, and retirement all depend on knowing what the identity belongs to. In operational terms, teams should:
- Require every account to have a named owner, a purpose, and an expiry or review date.
- Separate human, service, and workload identities so reviewers do not certify them with the same checklist.
- Flag unresolved accounts as exceptions, not as approvable access.
- Use joiner-mover-leaver data, CMDB records, and workload inventories to reconcile ownership before review cycles begin.
- Escalate shared or inherited accounts for remediation, because shared usage obscures accountability.
This also matters for secrets and credential governance. NHIMG’s The State of Secrets in AppSec notes that remediation of a leaked secret still averages 27 days, which reinforces a simple point: if ownership is unclear, response is slow. Access reviews should therefore validate not only entitlements but also the evidence that an identity is still required, still used, and still controlled. These controls tend to break down in environments with heavy service account sprawl and fragmented secret stores because no single system has enough context to resolve ownership consistently.
Common Variations and Edge Cases
Tighter ownership rules often increase operational overhead, requiring organisations to balance review quality against the cost of maintaining accurate inventory and approver data. That tradeoff is real, especially in large estates with mergers, contractors, or legacy automation.
There is no universal standard for this yet, but best practice is evolving toward stronger evidence-based certification. In mature environments, unresolved accounts should fail closed until they are attributed, while low-risk exceptions may be time-bound with compensating controls. For service identities embedded in CI/CD, mapping may need to reference a pipeline, repository, or deployment unit rather than a person. That is consistent with the Ultimate Guide to NHIs, which emphasises that NHI ownership is often organisational rather than individual.
Edge cases appear when one account supports multiple teams, when third-party operators manage systems on a customer’s behalf, or when automation spins up short-lived credentials faster than review cadences can track them. In those cases, the control objective shifts from asking who clicked approve to asking whether the organisation can prove accountable stewardship over the identity throughout its lifecycle. The review process becomes weak whenever attribution depends on tribal knowledge instead of a current system of record.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unresolved accounts are a core non-human identity attribution risk. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and attribution underpin valid access certification. |
| NIST CSF 2.0 | PR.AC-1 | Access decisions fail when identities cannot be tied to an accountable user or workload. |
Deny certification of accounts that lack documented ownership or business justification.
Related resources from NHI Mgmt Group
- What breaks when access reviews do not cover service accounts and workloads?
- What breaks when access reviews treat all non-human accounts the same?
- Should organisations rely on periodic access reviews for privileged accounts?
- Why do spreadsheet-based access reviews fail for regulated privileged access?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
